Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: a0530c2
Author: Manuel
Date: 2026-03-21T14:04:54Z
Commit Message
fix: Create CLP not enforced before user field validation on signup (#10268)
Pull Request
PR: #10268 - fix: Create CLP not enforced before user field validation on signup
Labels: state:released-alpha
Description:
Issue
User enumeration via signup when create CLP is disabled
Tasks
Analysis
Vulnerability Type: User Enumeration
Severity: High
Description
Before the patch, the signup endpoint allowed user enumeration by revealing whether a username or email already existed based on different error messages when the class-level permission (CLP) for create was disabled. This allowed attackers to probe if specific usernames or emails existed. The patch enforces create CLP before user field validation during signup, preventing distinct error messages and therefore preventing user enumeration.
Affected Code
RestWrite.prototype.execute = function () {
...
return this.setRequiredFieldsIfNeeded();
// Missing early validateCreatePermission here
...
}
// transformUser enforces uniqueness only after permission check, but permission check was after uniqueness validation allowing info leak
Proof of Concept
1. Create a user with username 'existingUser'.
2. Disable public create permission on the _User class via CLP.
3. Attempt to signup with username 'existingUser' and a different password via POST /classes/_User.
4. Before patch: Response returns error code USERNAME_TAKEN or message 'Account already exists', revealing user existence.
5. After patch: Response returns OPERATION_FORBIDDEN without revealing whether the username exists.
Example request (before patch):
POST /classes/_User
{
"username": "existingUser",
"password": "otherpassword"
}
Response: { code: 202, error: "Account already exists" }
Example request (after patch): Same as above
Response: { code: 101, error: "Operation forbidden" }
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T18:01:06.390Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: a0530c2
Author: Manuel
Date: 2026-03-21T14:04:54Z
Commit Message
Pull Request
PR: #10268 - fix: Create CLP not enforced before user field validation on signup
Labels: state:released-alpha
Description:
Issue
User enumeration via signup when create CLP is disabled
Tasks
Analysis
Vulnerability Type: User Enumeration
Severity: High
Description
Before the patch, the signup endpoint allowed user enumeration by revealing whether a username or email already existed based on different error messages when the class-level permission (CLP) for create was disabled. This allowed attackers to probe if specific usernames or emails existed. The patch enforces create CLP before user field validation during signup, preventing distinct error messages and therefore preventing user enumeration.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-21T18:01:06.390Z